Slashdot Mirror
Unauthorized iOS Apps Leak Private Data Less Than Approved Ones
Sparrowvsrevolution writes "In the wake of news that the iPhone app Path uploads users' entire contact lists without permission, Forbes dug up a study from a group of researchers at the University of California at Santa Barbara and the International Security Systems Lab that aimed to analyze how and where iPhone apps transmit users' private data. Not only did the researchers find that one in five of the free apps in Apple's app store upload private data back to the apps' creators that could potentially identify users and allow profiles to be built of their activities; they also discovered that programs in Cydia, the most popular platform for unauthorized apps that run only on 'jailbroken' iPhones, tend to leak private data far less frequently than Apple's approved apps. The researchers ran their analysis on 1,407 free apps (PDF) on the two platforms. Of those tested apps, 21 percent of official App Store apps uploaded the user's Unique Device Identifier, for instance, compared with only four percent of unauthorized apps."
In other words, applications developed by people interested in profit are more likely to steal your data.
Hopefully this does not come as a shock to most slashdotters.
Ha Ha ha, too funny. get an Android phone...
Clearly, there seems to be a need for a privacy firewall, that will filter all data on a computer system, somewhat like the military 'data-diodes'.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
App store: Apple certifies app, people trust Apple, people download app, app creators can take advantage to get user data, unlikely to be caught
Cydia: No certification, people are more likely to look at what the app is doing(also because someone who uses Cydia has a higher probability of knowing how to look at it), app creators more careful to not get a bad reputation
sure lookout and company find malware, google removes it, etc the android alternative markets can have loads of malware (percentage wise). but at least we are fairly aware of what's going on. the apple ecosystem is still a big black box where the nastiness is ignored and unknown. even the notion that apps are vetted is completely misleading - as shown by charlie miller in syscan. apple doesn't even release stats like what the market distribution is among the different iOS devices.
Since iTunes does not support direct searches for free ap- plications, we rely on apptrakr.com [2] to provide a contin- uously updated list of popular, free iOS applications. Once a new application is added to their listings, our system au- tomatically downloads the application via iTunes and de- crypts it. Subsequently, the application is analyzed with PiOS.
I didn't see anything that described how they chose the Cydia apps however. I bring this up because there are numerous very popular Cydia apps that are simply iOS tweaks that adjust a piece of the interface or something similar. These apps would intuitively be less likely to require any sort of user information at all, so I'm not sure how much I trust these results.
Anyone has done any research on Android apps, on the same topic ?
Muchas Gracias, Señor Edward Snowden !
This reminds me a bit of the early days of spyware and malware when anti-virus companies were behind the curve and tried to write off that since malware was typically installed with user consent, they weren't responsible for scanning, detecting, and removing it. Apple is doing the same, but without even saying it's not their responsibility. Instead, they keep giving consumers the false belief in the safety of the walled / curated garden. An oddity to be noted as well is that the Apple store has actually moved mainstream consumers farther into the reliance on the vendor for repairs. While most telcos will tell users to backup their data as best they can and perform a wipe on Android, most iPhone users I have supported have told me stories about waiting as much as a couple hours to get an Apple Geek to wipe their phone.
This is a nice companion piece from Forbes to the article on iOS crash rates versus Android.
On a sideways note, most /.ers realized long ago that as OSX continues to increase in market share, they will become the target for virus writers. I sincerely doubt Apple's sandbox for apps will do much to stop them. If anything, the sandbox makes it harder to find a well concieved malicious program.
I hope the programmers among us actually read some of this study before chiming in based on it's veracity... I'm just a few pages in and alarm bells are going off all over the place.
Does this invalidate some of the claims about Apple just protecting its users by restricting their freedom?
You know MobileMe / iCloud of course: knowing an App store email address and its password, gives you access to the following: where is the iPhone/user at anytime, contacts list, emails ... among others. Pretty important data.
So, in the subway/room... you enter your password to download an App, and someone may see and remember the credentials. It may happen, and? Gmail, for instance, allows you to get the list of the recent accesses to your account.
Apple App Store, MobileMe? Nothing. There is absolutely no way to determine if someone else accesses your account unless the other guy changes/order something. The only solution according to Apple is "Change your password". That case happened to a friend of mine who is not much in IT, and got suspicious after a few coincidences of interest. Considering the weight of iCloud and MobileMe, some more data protection is needed from Apple.
Slashdot, fix the reply notifications... You won't get away with it...
I know that there is a considerable off-grid contingent on /., but I don't get why people use getting unique device identifier (UDID) as an example of stealing user data. It isn't hacking or anything -- it's a public API usable by any app writer. If it weren't acceptable to use, Apple wouldn't allow apps which access the UDID onto their store.
There are a large number of practical applications for the UDID, ranging from the more user friendly uses such as automatic backup of app-specific data (i.e. game save), to mutually beneficial things like incentivization schemes, to features less popular to the user but necessary to make free content financially viable, i.e. targeted advertising.
Whenever I rail against Apple around here, people always bring up the concept that most people just want their device to be an applicance, and don't want to care about the internals. This comes with said blissful ignorance. But those 20% of apps passing data back home aren't stealing anything -- they're just using another tool to profit in the modern mobile space. More than 99% of that 20% is sending no more than the UDID and data specific to the application itself. Stealing would be to somehow get the user's underlying iTunes account info and buying stuff with it. (though what Path was doing is a bit of a mess, heh...)
Charisma is the measure of someone's ability to lie with a straight face.
...I did after jailbreaking my iphone was to install a firewall. The experience was quite interesting, allowing me to see exactly which apps tried to contact remote sites and which sites they attempted to contact. And, to my knowledge, the only external sites contacted by unofficial apps I've seen were related to ad content.
Access to private data on outside of the apps (calendar, contacts, etc.) should be controllable on an per app basis, just like with location service. And each app accessing this data should be carefully reverse engineered and analyzed to ensure it is safe.
I actually read the EULA for the recent game "Civilization V", and it said they could take your contacts list, and share/sell it.
Fortunently Valve/Steam was nice enough to give a refund before I installed it when I complained about it "As a one-time courtesy" not as policy, I'm sad to say.
Particularly since the EULA wasn't available for viewing until after purchase.
http://forums.steampowered.com/forums/showthread.php?t=2109777
When is this app going to be available?
or does UCSB no longer stand for You Can Study Buzzed?
The whole idea of the device UUID is to create a primary key for users without actually using any of their personal information. So what if someone is storing your UUID? That's the whole point!
If you give them your name and email and bank account information, and they tie that in with your UUID, then you have bigger problems than your UUID being "uploaded".
"21 percent of official App Store apps uploaded the user's Unique Device Identifier"
In iOS 5.x it's impossible to read out the UDID.
Everybody still on 4.x should ask himself: Why?
My biggest problem with it is that it isn't generally made clear to the user unless they go looking. It probably say something vague about sending some identifying data back deep in the EULA somewhere but IMHO companies should be much more up-front about what they are doing.
In particular instead of saying apps are "free" they should say "advertising supported" or "user tracking supported". As well as permission information the market/app store should say "tracks your device and app usage".
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
It's shocking that people who are interested in harvesting user data would target the larger market of the two? Why would they target the users of Cydia, all of whom have at least the tech savvy to value and accomplish a jail break, over the teaming, unwashed masses lining up at the App Store?
Next you'll tell me that Macs have so few viruses because they are super secure, and not because they are so greatly outnumbered by Windows machines...
Works for sale under copyright (or otherwise available to the public and controlled by copyright) are not private. My contact details are. After all, you do NOT get copyright on your contact details, do you.
Therefore there is no logical fallacy in decrying privacy violation but decrying piracy's mischaracterisations by the content industry.
There's also the little fact that piracy isn't stealing, so even if you want even stronger copyright, you will only be honest if you refute the statement that piracy is stealing.
Two reasons why there is no logical problem.
A third reason is that none of these, either your misrepresentations, or the facts, are logical fallacies. I would suggest you get a dictionary.
How about we rephrase it as "Getting your name"?
Maybe my betters know why it needs to be a Unique Device ID, but the privacy problems are growing because Unique ID Data all link to itself and it's only smoke and mirrors keeping it all from crashing in. Look at the mess the Social Security Number is in. "For your security, let's have the Last 4 of your Social and thanks to Facebook, your Mother's Maiden Name."
So somewhere either now or later, someone will have a database of phone Unique Device ID's to Names. And oh yes, some of these programs are meddling with contact data too.
So why isn't it just enough for a phone to say "Hi, I'm an Apple iPhone, there are many like me but this one is his"?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Since the EULA was refused, the contract was refused. Therefore you must be allowed to get your money back. ESPECIALLY when the DRM requires activation. For that to be of any point whatsoever, this has to be confirmed as proof you haven't used the game at all. If it isn't, because they know it is or will be cracked, then DRM has no point at all except as another excuse for expensive games and control.
And you won't find that on any marketing blurb...
Therefore AS A MATTER OF POLICY they have to refund you.
IF they then say you have not bought the license, you bought the game which you still have, then they're already lost: they keep whining about how you bought the license when it suits them. In fact the hordes of Fluffers For Steam (tm) will INSIST that you bought a license, not the game.
The analysis was great. They used some very clever techniques, and wrote it up thoroughly.
The reporting is absurdly overhyped, with statements like "one in five of the free apps in Apple's app store upload private data back to the apps' creators " Almost all of the "privacy leaking" was simply apps capturing device ID's (UDID), which is routine piece of data collected for issue resolution, and isn't "privacy" any more than a web server logging your IP address is violating your privacy. If you're worried about that, you probably should change your IP address every day, and disable browser cookies. A few apps ask for location data (which requires user acceptance) and send it to the server, which is under user control so isn't "leaking".
The only "bad" apps that they found were a "few cases in which the address book, the browser history, and the photo gallery is leaked." Those are (at least potentially) evil. They found 5 in iUS and 4 in Cydia, which was well under 1% of the apps checked. Those apps should be "outed" so that people can at least make an informed decision about whether there's a good need for that kind of data access.
Enable 3D printed prosthetics!
Except for the targetted ads, all of these use cases could be satisfied with a unique per-app user ID. e.g. The OS could create a hash of the UDID and the app name and give that to the app.
The question is not "is the feature useful?" The question is "given a spectrum of possible implementations, why is the most privacy-invading always chosen?"
how badly the european style privacy and 'forget me' laws were necessary.
Read radical news here
I'm not so sure about UDID giving away no more privacy than IP.
IP doesn't identify a single device, thanks to NATs and dynamic pools and conversely same device isn't bound to single IP, it's many to many relation. To track someone specific you need more than his IP, like a cookie, for example. And many indeed disable browser cookies for this very reason, just as you propose.
UDID, on the other hand, is a strict one to one relation, it's unchangeable, linked to single device and can't be disabled. UDID is much better suitable for tracking and collating info across different sources. Add a little bit more, and you're tracking a user even after a new phone purchase.
Read radical news here
Allowing people to build huge databases of devices with unique IDs is not a good idea. This is just CPU ID all over again. It takes control over a user's privacy away from the user.
I'm fine with an API that assigns an app a unique ID on a particular phone, and which gives the user the ability to reset it to a new unique ID at any time, or force it to be a value of their own choosing. Oh, and two apps on the same phone get different IDs, and if you uninstall/reinstall the ID changes again. That makes the unique ID more like a session cookie, which I can see as having value for network-enabled apps.
You didn't read the PDF of the experiment, did you? In there they explained the risk of the capturing the UDID.
The identifier by itself does not say much. However, most of the companies offering the frameworks are either advertising brokers, or affiliated to them, which then use the captured identifiers to correlate them with additional personally identifying information captured through other applications and services in order to build a profile of the user.
They give as an example AdMob, which is owned by Google. Wherein Google can easily capture the device ID of a GMail or Google+ user and associate it with their account. Then all apps using AdMob's advertising framework can report the device's ID, which can then be mapped in this database against a real user account.
-dZ.
Carol vs. Ghost
There was a copy of the game Temple Run in the Android Market. Temple Run is a popular game app currently available for iOS only. and noticed something odd about it. This copy of Temple Run is seen as available on the Android Market. But if you’ll check the information on the game developer, you’ll see that it is not the same developer as the one in indicated in the iOS version, which is Imangi Studios. This later turned to as a malware
Accessing the UDID is deprecated in iOS 5. Use of deprecated APIs is an app submission offense that can result in rejection.
So, Apple knows about this sort of crap, and is phasing out the ability to do it.
This is just CPU ID all over again. It takes control over a user's privacy away from the user.
Yes. These are "free" apps. Not News: corporations aren't the only predatory entities out there. There's still individuals mugging and raping people all on their own.
Windows has viruses and trojans, iBaubles do the same thing in different ways 20% of the time. Who knew?!? :-O
Tell your friends: free is not necessarily equal to benign. Even FLOSS advocates learned that a long time ago. You go with your distro's software repository, not just random tarballs you stumble across and hope for the best.
Apparently, that's not necessarily the case outside of FLOSS.
"Tongue tied and twisted, just an Earth bound misfit
Apple wouldn't allow apps which access the UDID onto their store.
Apple has removed UUID from the public API starting in iOS 5. The problem is that Apple has already allowed apps which use UUID into their store.
It's still possible to read the wireless MAC address, so identifying individual iPads and users is still possible.
"Lame" - Galaxar
One thing that impressed me about blackberry was that it asked me when an app wanted to do something (not before I downloaded/installed it), and gave me the "yes/always/no" option for trusting that app with said permission in the future. It was also a lot more fine-grained than android's "let them see security detail X and they can also sniff your calls and text-messages" type security.
I believe you can do this to some extent with "cyanogenmod" on Android, so I really wish google would get off their duff and look at adding such capabilities into the base unmodded OS.
I'd love to know why so many apps require 'full network access' when, near as I can tell, their purpose requires no access.
Their purpose, from the developer's point of view, is to show advertisements to the user, and they need an Internet connection to download those ads. Any functionality is secondary.
In particular instead of saying apps are "free" they should say "advertising supported" or "user tracking supported".
When it comes to mobile apps, I think that if you see the former, you should assume at least one of the latter.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Hell, why does Angry Birds need my Location Services info?
If you're referring to ad-supported "free" games, I imagine that the app's sponsors want to show you ads for local businesses near your location, not on another continent.
While this can be a concern, you have to put it into perspective. You download some game and now Google knows you play that game because it has AdMob. So what? Apple already has insane amount of your usage statistics that would make Google foam at the mouth. In the end, though, for all these tech giants know about me, they only want to use it to sell me stuff.
The only exception to this rule has been Facebook, which is why I quarantine my Facebook account in a browser I don't normally use. They have a track record of publishing unapproved information to a user's friends, and my philosophy is once a scumbag, always a scumbag. I'm finding it too hard to completely boycott them, so I've just metaphorically stuffed them into a box.
But Google and Apple (the latter of which I'm a certified hater of) are mature companies who just want to be able to charge more for impressions and click-throughs, so I just don't care. I can easily quarantine searches that I don't want even them being aware of. As for the makers of the game you downloaded, they just want statistics across their entire portfolio for making smarter business decisions in the future. None of these parties want to harass you.
Charisma is the measure of someone's ability to lie with a straight face.
This seems a little like saying, if I leave my backpack unattended on the sidewalk, cops are going to peek inside more often than regular people. Problem is: there's going to be someone among the "regular folk" who will just take the whole damn thing. Sure, cops are going to inspect more-often, but there's lower chance of the worst case.
The reason I don't jailbreak my iPhone or use Cydia is because I want to limit the worst case scenario of intrusion. My understanding is, if it's in Apple's app store, then Apple has the identity of someone who can be held responsible if the app misbehaves. If some app steals my credit card number of passwords or whatever, there's a good chance (or, at least, much better than Cydia's... which is zero) that we'll be able to track down *someone* who's head we can put on a pike. And that, I feel, should give pause to anybody getting any funny ideas with putting a malicious app in Apple's app store. (It works kinda the same with DKIM mail and crypto-signed mail; it doesn't guarantee that the mail isn't spam. It just gives you more reason to believe that you can track the sender down...)
All it takes is *one* malicious app that you get from Cydia and you're toast. Which is why I think that it's a fool who would switch to Cydia in order to keep their data more safe.
I think some of this can be solved by the Android OS developers, not Android app developers. The biggest problem is *there is no optional option for permissions*.
I will give you a for example: I can improve my app a little bit by accessing user GPS, and seeing where they are. Some users don't care, and will willingly give up their GPS for a slight improvement in functionality. Then there are users who freak out why an app which reads e-mail, or sends SMSs, or whatever, needs to know your GPS location - which is fine. But there is currently no way to make this optional. It is Manichean - the app either requests GPS for everyone, or it does not. There is no optional option, no way to fine tune it and so forth.
And in essence, that there is no optional permissions and finetuning more or less plays into what will become a complete lack of privacy. More and more Java jars I include with my app will request more and more permissions, as will my core app.
If I want to put in GPS functionality for the 2-5% of users who want it, I'm forced to do it for 100% of people.
You could say "release two separate apps". But there are a million things I could release two apps for. You already see phone and tablet versions of apps, and this sort of thing. I want to keep everything all in one app and one project as much as I can. I'm not going to release a phone app and tablet app, each with 8 possible permission parameters turned on or off.
Tell Android and Google to allow optional permissions in the Android Manifest and the code. It is a problem with the ICS and pre-ICS permissions in the code base, not developers like me. It's no sweat off my back to allow a setting for the 5% of users who care enough about privacy to turn GPS and the like off. It means less complaining Market comments and the like. E-mail Google.
No, they've tried to. "Send us email, go to our Facebook page, watch our twitter feed, ..."
Oh don't be silly, they bought data from apparently unrelated market research surveys, conducted their own surveys, etc.
Sure. My point is about leverage. Yeah, they've done all that before by hiring cheap labour to dive into whatever datasets they could come across trying to come up with correlations they could then attempt to exploit. 21st Century, the game's changed. Computers and software make all of that cheap and easy to do with vast amounts of $any_data_wherever_you_find_it, some of which is sent off without the luser even being aware it's being sent. Before, they had to beg you to "come out" to them. Now, "out" is the default, and they only need to grep your "outed" data (cf. Facebook, "free games", et al). I doubt I'm a genius, but even I've done some pretty slick stuff with RDBs and perl.
Give me a place to stand, and I shall move the Earth
Remember that story a couple of months ago about that app installed by default on smartphones that reported back to the mother ship, ostensibly to optimize network performance? Remember how surprised everyone was that that was even happening? I wasn't. :-|
Politicians are passing laws that make illegal wiretapping legal (AT&T --> NSA). Why be surprised to learn that mere corporations are raping customers of their personal information? Corporations don't have to care about morals and ethics. They're only supposed to care about maximizing profits and minimizing costs.
Consumers are the new cannon fodder.
"Tongue tied and twisted, just an Earth bound misfit