Unauthorized iOS Apps Leak Private Data Less Than Approved Ones

Sparrowvsrevolution writes "In the wake of news that the iPhone app Path uploads users' entire contact lists without permission, Forbes dug up a study from a group of researchers at the University of California at Santa Barbara and the International Security Systems Lab that aimed to analyze how and where iPhone apps transmit users' private data. Not only did the researchers find that one in five of the free apps in Apple's app store upload private data back to the apps' creators that could potentially identify users and allow profiles to be built of their activities; they also discovered that programs in Cydia, the most popular platform for unauthorized apps that run only on 'jailbroken' iPhones, tend to leak private data far less frequently than Apple's approved apps. The researchers ran their analysis on 1,407 free apps (PDF) on the two platforms. Of those tested apps, 21 percent of official App Store apps uploaded the user's Unique Device Identifier, for instance, compared with only four percent of unauthorized apps."

Profit.

In other words, applications developed by people interested in profit are more likely to steal your data.

Hopefully this does not come as a shock to most slashdotters.

Re:Profit.

Don't be obtuse. Whatever your stance on obtaining a copy of a more or less freely available* item of media, it's completely different from obtaining data about an individual without their consent. One is a civil issue dependent on the current legal and moral standings of the notion of copyright (which is far from universal or constant), the other is a privacy issue.

*as in, available to anyone willing to pay

Re:Profit.

[Calos]

I couldn't decide whether to mod you 'Overrated' (because I think you might actually believe what you're saying and are therefore not a Troll or Flamebait) or 'Funny' (because I can't figure out how exactly you're equating the two and it may well be a joke).

So, instead, you get this reply.

Now, understand that this doesn't come from someone who "claim(s) that pirating movies isn't stealing," though I do believe in the right to privacy. Maybe because of that, I don't see your insight into the matter (but apparently as you don't believe both, maybe you don't either). But I'm curious about why you see these things as the same, and why you think that there is an apparently significant intersection between the group that considers downloading movies not to be stealing and the group interested in privacy.

You imply that a reproductions of the Mona Lisa and the details of your life, financial situation, activities, interests, online pseudonyms, and whereabouts are the same. Either you believe that I should be able to search for 'SiMac' on, say, the Pirate Bay and download this information same as I would a movie, or you don't. Which is it?

Because even though I don't think that people should 'pirate' movies and I think I should have a right to privacy - I wouldn't equate the two. Why do you?

Its a matter of who does the verification

[mehrotra.akash]

App store: Apple certifies app, people trust Apple, people download app, app creators can take advantage to get user data, unlikely to be caught
Cydia: No certification, people are more likely to look at what the app is doing(also because someone who uses Cydia has a higher probability of knowing how to look at it), app creators more careful to not get a bad reputation

Data Privacy? What about that?

[hcs_$reboot]

You know MobileMe / iCloud of course: knowing an App store email address and its password, gives you access to the following: where is the iPhone/user at anytime, contacts list, emails ... among others. Pretty important data.
So, in the subway/room... you enter your password to download an App, and someone may see and remember the credentials. It may happen, and? Gmail, for instance, allows you to get the list of the recent accesses to your account.
Apple App Store, MobileMe? Nothing. There is absolutely no way to determine if someone else accesses your account unless the other guy changes/order something. The only solution according to Apple is "Change your password". That case happened to a friend of mine who is not much in IT, and got suspicious after a few coincidences of interest. Considering the weight of iCloud and MobileMe, some more data protection is needed from Apple.

Getting device identifier != "stealing your data"

[sarysa]

I know that there is a considerable off-grid contingent on /., but I don't get why people use getting unique device identifier (UDID) as an example of stealing user data. It isn't hacking or anything -- it's a public API usable by any app writer. If it weren't acceptable to use, Apple wouldn't allow apps which access the UDID onto their store.

There are a large number of practical applications for the UDID, ranging from the more user friendly uses such as automatic backup of app-specific data (i.e. game save), to mutually beneficial things like incentivization schemes, to features less popular to the user but necessary to make free content financially viable, i.e. targeted advertising.

Whenever I rail against Apple around here, people always bring up the concept that most people just want their device to be an applicance, and don't want to care about the internals. This comes with said blissful ignorance. But those 20% of apps passing data back home aren't stealing anything -- they're just using another tool to profit in the modern mobile space. More than 99% of that 20% is sending no more than the UDID and data specific to the application itself. Stealing would be to somehow get the user's underlying iTunes account info and buying stuff with it. (though what Path was doing is a bit of a mess, heh...)

Re:How about Android apps ?

[Pieroxy]

Anyone has done any research on Android apps, on the same topic ?

Actually, very few leak details.

Android applications have to ask permissions to get access to the internet or your personal details.

Which is all but the same as most tech-unaware users will dismiss the dialog. What they understand behind these dialog boxes is that if they click "No", the App won't work.

It's a bit like electing the president. It's nice to ask people for their opinion, but the overwhelming majority has no clue what's at stake, so it serves very little purpose.

Still, it's better than not asking. A little.

Re:How about Android apps ?

[IntlHarvester]

Yes, I'd consider myself a 'tech-aware user', and even Google's own apps want such a laundry list of permissions, it turns into "fuck, whatever" and then you press OK.

Using Android was actually an interesting experiment for me, because I'd mulled over the possibilities of a capabilities-based permission system for many years. Then when I finally got one, I found it was realistically about as useful as an IE ActiveX dialog.