Unauthorized iOS Apps Leak Private Data Less Than Approved Ones

Sparrowvsrevolution writes "In the wake of news that the iPhone app Path uploads users' entire contact lists without permission, Forbes dug up a study from a group of researchers at the University of California at Santa Barbara and the International Security Systems Lab that aimed to analyze how and where iPhone apps transmit users' private data. Not only did the researchers find that one in five of the free apps in Apple's app store upload private data back to the apps' creators that could potentially identify users and allow profiles to be built of their activities; they also discovered that programs in Cydia, the most popular platform for unauthorized apps that run only on 'jailbroken' iPhones, tend to leak private data far less frequently than Apple's approved apps. The researchers ran their analysis on 1,407 free apps (PDF) on the two platforms. Of those tested apps, 21 percent of official App Store apps uploaded the user's Unique Device Identifier, for instance, compared with only four percent of unauthorized apps."

Profit.

In other words, applications developed by people interested in profit are more likely to steal your data.

Hopefully this does not come as a shock to most slashdotters.

Re:Profit.

Don't be obtuse. Whatever your stance on obtaining a copy of a more or less freely available* item of media, it's completely different from obtaining data about an individual without their consent. One is a civil issue dependent on the current legal and moral standings of the notion of copyright (which is far from universal or constant), the other is a privacy issue.

*as in, available to anyone willing to pay

Re:Profit.

Arguably, they're stealing your privacy -- or at least stripping you of it.

The same is not always true with a movie: I'm not depriving them of the movie, or even likely to spoil it for anyone else, and I'm not depriving them of profits they would otherwise have had I paid for the movie (simply because I will not buy a movie). (I do, however, go to many movies when they hit the cheap theater in town. Mostly I like the popcorn. That shit costs twice what the movie ticket costs, though.)

Re:Profit.

[fightinfilipino]

and exactly what data do you have showing 1) that these groups are the same and 2) that people "claim that pirating movies isn't stealing"?

quit it with the troll bait.

what's really problematic is not whether there are legit uses for the data, but that the app developers aren't up front about data being shared at all.

Re:Profit.

[Calos]

I couldn't decide whether to mod you 'Overrated' (because I think you might actually believe what you're saying and are therefore not a Troll or Flamebait) or 'Funny' (because I can't figure out how exactly you're equating the two and it may well be a joke).

So, instead, you get this reply.

Now, understand that this doesn't come from someone who "claim(s) that pirating movies isn't stealing," though I do believe in the right to privacy. Maybe because of that, I don't see your insight into the matter (but apparently as you don't believe both, maybe you don't either). But I'm curious about why you see these things as the same, and why you think that there is an apparently significant intersection between the group that considers downloading movies not to be stealing and the group interested in privacy.

You imply that a reproductions of the Mona Lisa and the details of your life, financial situation, activities, interests, online pseudonyms, and whereabouts are the same. Either you believe that I should be able to search for 'SiMac' on, say, the Pirate Bay and download this information same as I would a movie, or you don't. Which is it?

Because even though I don't think that people should 'pirate' movies and I think I should have a right to privacy - I wouldn't equate the two. Why do you?

Re:Profit.

[GameboyRMH]

Yep, not surprised one bit. This is part of the reason I use FOSS apps wherever possible.

And this is a big part of the motivation to "appify" everything - to break the inherent sandboxing ability of a browser, to get direct access to all your personal data.

Its a matter of who does the verification

[mehrotra.akash]

App store: Apple certifies app, people trust Apple, people download app, app creators can take advantage to get user data, unlikely to be caught
Cydia: No certification, people are more likely to look at what the app is doing(also because someone who uses Cydia has a higher probability of knowing how to look at it), app creators more careful to not get a bad reputation

Re:Data wants to be free

[mehrotra.akash]

Or atleast a virtual "profile" with random data in it, and while launching apps, you should be able to choose which data you want to give it access to

Methodology?

[tartles]

I checked the source publication and the following paragraph describes how they chose the apps:

Since iTunes does not support direct searches for free ap- plications, we rely on apptrakr.com [2] to provide a contin- uously updated list of popular, free iOS applications. Once a new application is added to their listings, our system au- tomatically downloads the application via iTunes and de- crypts it. Subsequently, the application is analyzed with PiOS.

I didn't see anything that described how they chose the Cydia apps however. I bring this up because there are numerous very popular Cydia apps that are simply iOS tweaks that adjust a piece of the interface or something similar. These apps would intuitively be less likely to require any sort of user information at all, so I'm not sure how much I trust these results.

How about Android apps ?

[Taco+Cowboy]

Anyone has done any research on Android apps, on the same topic ?

Re:How about Android apps ?

[mjwx]

Anyone has done any research on Android apps, on the same topic ?

Actually, very few leak details.

Android applications have to ask permissions to get access to the internet or your personal details.

Re:How about Android apps ?

[Pieroxy]

Anyone has done any research on Android apps, on the same topic ?

Actually, very few leak details.

Android applications have to ask permissions to get access to the internet or your personal details.

Which is all but the same as most tech-unaware users will dismiss the dialog. What they understand behind these dialog boxes is that if they click "No", the App won't work.

It's a bit like electing the president. It's nice to ask people for their opinion, but the overwhelming majority has no clue what's at stake, so it serves very little purpose.

Still, it's better than not asking. A little.

Re:How about Android apps ?

[IntlHarvester]

Yes, I'd consider myself a 'tech-aware user', and even Google's own apps want such a laundry list of permissions, it turns into "fuck, whatever" and then you press OK.

Using Android was actually an interesting experiment for me, because I'd mulled over the possibilities of a capabilities-based permission system for many years. Then when I finally got one, I found it was realistically about as useful as an IE ActiveX dialog.

Re:How about Android apps ?

[CheerfulMacFanboy]

Anyone has done any research on Android apps, on the same topic ?

Actually, very few leak details. Android applications have to ask permissions to get access to the internet or your personal details.

Nice try, what about all the apps that Google removed from the marketplace exactly because they leaked details to the developer (aka Trojans)? What about those in the open markets?

Re:How about Android apps ?

[jschrod]

I can't count the amount of Android apps that I didn't install because they want to have r/w access to my contacts, even though they obviously don't need it for their functionality.

There are also too many apps that demand an Internet connectivity where I ask myself why. Or I had to deinstall apps where the background process keeps downloading data all the time that I only need on a holiday, but not now; and I found no way of disabling the background process short of deinstallation (without rooting the phone, then means are available).

So I'd say, Android has it's similar share of problems.

Re:How about Android apps ?

[Keeper+Of+Keys]

> I also wish you could turn off specific permissions (so app developers would have to check that they have the permission before they used it, erroring - and asking for the permission - if that permission was required).

Yes. Or maybe an option to "Install with No Permissions" or something. It would be interesting to see which parts of the app required which permissions, then you could make an informed choice whether you wanted X feature enough to expose yourself in that specific way.

Re:How about Android apps ?

[icebraining]

Then you have to get a Symbian S60 phone. They show dialogs request for permissions as the app needs them, not upfront. For example, I can launch Opera Mini and I have to give it network access, but I'm only asked for filesystem access (not with this name, of course) when I download some file.

Re:How about Android apps ?

[icebraining]

Neither do the researches, and they still found it. Excuses, excuses.

Re:How about Android apps ?

[mulaz]

There is an app called LBE security (or something simmilar, search for LBE), where you can give/take away permissions, and you can have the app prompt for some permissions ona per-use basis.

So, if angry birds wants location info, you get a pop-up, choose Don't allow (because it doesnt need it), mark 'remember', and continue playing.

The bigger question is, what data does the aplication itself send around, since it requires a rooted phone.

Re:How about Android apps ?

[cduffy]

I wish you could restrict internet access to specific domains and I also wish you could turn off specific permissions

CyanogenMod does this (allowing specific permissions to be rescinded).

Re:How about Android apps ?

[fuzzyfuzzyfungus]

What android really needs(and probably won't get, for actively self-interested reasons; but so it goes...) is the ability to lie.

Right now, you can at least see what outrageous demands an application is making; but it's a take-it-or-leave-it thing. You cannot, for instance, specify that an application that wants your contacts list for no reason useful to you installed such that any attempt to access the contacts list returns a false one, rather than the actual system-wide contacts.

It'd likely add some resource overhead; but you could theoretically have a per-app 'virtual' set of android.* interfaces: some could transparently map to the real ones, others could be defined by a filter against the real ones(for network access, a specific set of firewall rules, or android.location interface that is based on the genuine android.location data; but with resolution reduced or a fictitious offset introduced, for instance), and some could be based on pure fictions unrelated to the real interface.

The ability to lie would allow you to push back against the creeping trend to just demand all kinds of permissions without obvious reason; but still provide well-formed inputs where applications expect them, so that things will still work(alternative uses, such as polluting the databases of the various 'social' scum who treat hoovering up contacts as a business model, are left as an exercise to the reader); but the device owner's wishes will be preserved.

Re:How about Android apps ?

[lordbah]

I've tried to discuss the permissions they require with some Android app makers but I've never gotten anywhere. It usually goes something like this:

I inquire as to why an article reading app would need permission to use my camera. They say the app has a function to take pictures and submit them. I say I don't currently have any interest in doing that - can't they have a base app which doesn't require that permission, and then for those who want to do something like that, have an add-on app which does require that permission? They tell me that Android permissions don't work that way. I tell them that I won't be installing their app.

or

I ask why a game wants access to my contact list and permission to make phone calls. They tell me it's just for a "friends" function, and they only want to read my phone's ID, they promise they would never do anything unwanted. I say I don't trust you that much yet, can't you have a version which doesn't require those permissions, and over time maybe I will come to trust you and then I can install the full version? They tell me that Android permissions don't work that way.

or

I ask why a streaming music app would need permission to "send email without my knowledge" or access my calendar. They say the app has the ability to share stations with my friends, "entirely under your (my) control", and display ads with a button which can add an event (concert presumably) to my calendar. I ask why then they would need to be able to do these things "*without my knowledge*". They say thank you, come again. I say I won't be installing your app then.

So I would say the permissions are nice in theory but in practice many app developers are not willing to finely tune them and either unwilling or unable because of (they claim) platform restrictions to provide variants of the app with different functionality and different permission requirements.

I have no experience with iOS so I can't say anything about that.

Re:How about Android apps ?

[Rich0]

Yup - I've been advocating the same thing. LBE Privacy Guard is the closest I've seen to it in implementation - I assume it actually works.

This was proposed as a feature for Cyanogenmod and shot down. CM now has the ability to revoke individual permissions, but it tends to lead to lots of force-close issues. Most likely they're just sending errors to applications, and not simply lying to them (which is less likely to cause a force-close - app designers already have to handle the case where a user has one contact named John Smith and they never leave Topeka with an IMEI of 12345678). When the app force closes CM tells the user it is their fault for revoking permissions and offers to let them unrevoke them.

Android puts far too much control in the hands of app developers. It is like Windows 3.1 - it works great until some app decides to misbehave. Users, and not app designers, should be the final word in whether an app can run a service all day, or use the GPS vs the network, or transmit x GB of data per day, or whatever. And that final word shouldn't simply be to use or not to use - that is a race for the bottom.

Re:How about Android apps ?

[jo_ham]

So now you know what it's like whenever an Apple article is posted. A torrent of misinformation and frothing bias, mixed in with a little fact, often twisted around to ridiculous extremes.

Re:How about Android apps ?

[Rich0]

Read for yourself here.

I think the issue is that many of the CM devs care about their reputation in the phone industry. They don't want to tick off vendors, or Google.

Re:How about Android apps ?

[fuzzyfuzzyfungus]

Wow, that was rather more vitriolic than I expected...

Ironically, a slightly more 'neutrally presented' permission and filter based per-app provider namespace security scheme could actually be something of a killer app for Android, as well as a valuable tool for the privacy enthusiasts and database-jammers of the world:

Consider the (vastly common, in my experience) 'dual use device' scenario where a single phone is used for both work and personal business(either a business phone that hasn't been given the lockdown treatment, or a personal phone that somebody has set up activesync on, usually). You want convenient stuff like syncing of the company directory to the phone's contacts to Just Work, so that your worker drones can email and call their cubemates efficiently; but you Do Not Want some idiot installing the SocialTwitFriendst.ir app and having it hoover up your entire directory, along with the sucker's gmail contacts, and sending it to some dodgy startup. Solution? All contacts imported from the company directory get a specific filter flag such that only apps blessed by IT can even tell they are there when they query the 'global' contacts list. Boom. The user can still install apps that demand 'Contacts' access, so IT doesn't have to break their phone; but only blessed apps are allowed to have their provider interface namespaces attached as children to the ones provided by corporate sync. Similar behavior could do things like force certain apps to communicate only through a VPN link, without breaking open internet for the browser, or any number of other scenarios.

With some detailed thought about the architecture(this would, admittedly, have the potential to turn into a hellish spaghetti nightmare if you didn't have a clever designer on board) you could do some really neat role based permissions stuff, allowing multiple security contexts to more or less seamlessly exist on the same device, without leakage, or the rather clunky solution of multiple virtualized Android instances... In addition to the almost-certain-to-piss-off marketers privacy wonk scenarios(which these features would also enable), I can imagine some setups that would make IT types very happy indeed...

Malware vs. virii

[aaronb1138]

This reminds me a bit of the early days of spyware and malware when anti-virus companies were behind the curve and tried to write off that since malware was typically installed with user consent, they weren't responsible for scanning, detecting, and removing it. Apple is doing the same, but without even saying it's not their responsibility. Instead, they keep giving consumers the false belief in the safety of the walled / curated garden. An oddity to be noted as well is that the Apple store has actually moved mainstream consumers farther into the reliance on the vendor for repairs. While most telcos will tell users to backup their data as best they can and perform a wipe on Android, most iPhone users I have supported have told me stories about waiting as much as a couple hours to get an Apple Geek to wipe their phone.

This is a nice companion piece from Forbes to the article on iOS crash rates versus Android.

On a sideways note, most /.ers realized long ago that as OSX continues to increase in market share, they will become the target for virus writers. I sincerely doubt Apple's sandbox for apps will do much to stop them. If anything, the sandbox makes it harder to find a well concieved malicious program.

Hmmm... So far so dodgy...

[Petersko]

I hope the programmers among us actually read some of this study before chiming in based on it's veracity... I'm just a few pages in and alarm bells are going off all over the place.

Data Privacy? What about that?

[hcs_$reboot]

You know MobileMe / iCloud of course: knowing an App store email address and its password, gives you access to the following: where is the iPhone/user at anytime, contacts list, emails ... among others. Pretty important data.
So, in the subway/room... you enter your password to download an App, and someone may see and remember the credentials. It may happen, and? Gmail, for instance, allows you to get the list of the recent accesses to your account.
Apple App Store, MobileMe? Nothing. There is absolutely no way to determine if someone else accesses your account unless the other guy changes/order something. The only solution according to Apple is "Change your password". That case happened to a friend of mine who is not much in IT, and got suspicious after a few coincidences of interest. Considering the weight of iCloud and MobileMe, some more data protection is needed from Apple.

Getting device identifier != "stealing your data"

[sarysa]

I know that there is a considerable off-grid contingent on /., but I don't get why people use getting unique device identifier (UDID) as an example of stealing user data. It isn't hacking or anything -- it's a public API usable by any app writer. If it weren't acceptable to use, Apple wouldn't allow apps which access the UDID onto their store.

There are a large number of practical applications for the UDID, ranging from the more user friendly uses such as automatic backup of app-specific data (i.e. game save), to mutually beneficial things like incentivization schemes, to features less popular to the user but necessary to make free content financially viable, i.e. targeted advertising.

Whenever I rail against Apple around here, people always bring up the concept that most people just want their device to be an applicance, and don't want to care about the internals. This comes with said blissful ignorance. But those 20% of apps passing data back home aren't stealing anything -- they're just using another tool to profit in the modern mobile space. More than 99% of that 20% is sending no more than the UDID and data specific to the application itself. Stealing would be to somehow get the user's underlying iTunes account info and buying stuff with it. (though what Path was doing is a bit of a mess, heh...)

First thing..

[geogob]

...I did after jailbreaking my iphone was to install a firewall. The experience was quite interesting, allowing me to see exactly which apps tried to contact remote sites and which sites they attempted to contact. And, to my knowledge, the only external sites contacted by unofficial apps I've seen were related to ad content.

Access to private data on outside of the apps (calendar, contacts, etc.) should be controllable on an per app basis, just like with location service. And each app accessing this data should be carefully reverse engineered and analyzed to ensure it is safe.

Re:First thing..

[mjwx]

Access to private data on outside of the apps (calendar, contacts, etc.) should be controllable on an per app basis, just like with location service.

You mean the way Android does it? By listing the permissions the application has asked for when you install it.

It wouldn't be the first thing they slavishly copied from Android (*cough*notification menu*cough*)

And each app accessing this data should be carefully reverse engineered and analyzed to ensure it is safe.

Good luck with that.

Companies will object to their proprietary code and secrets being examined, users will scream until they get their fart apps.

Well, did you accept the EULA?

[Kaenneth]

I actually read the EULA for the recent game "Civilization V", and it said they could take your contacts list, and share/sell it.
Fortunently Valve/Steam was nice enough to give a refund before I installed it when I complained about it "As a one-time courtesy" not as policy, I'm sad to say.
Particularly since the EULA wasn't available for viewing until after purchase.
http://forums.steampowered.com/forums/showthread.php?t=2109777

Re:Well, did you accept the EULA?

[GameboyRMH]

Some PC games will scrape your browser history, such as NFS:Shift. They'll actually use it to adjust the in-game advertising.

Re:Data wants to be free

[Calos]

And also completely defeating the purpose of the current system, disrupting the entire ecosystem. There's a chain, here: the app developers include these permissions so that they can profit from providing a free-to-download-app by serving ads, the ads paid for by those believing that they're targeting ads to those most likely to buy their product/service. If the users disrupt the data stream with 'dummy' data, the ad providers don't know how well they're targeting the ads, and the value to the ad purchasers diminishes.

Not that I don't agree (and use software which lets me do the same on an Android phone) but the implications, when applied globally, greatly change the landscape.

Wait, what?

The whole idea of the device UUID is to create a primary key for users without actually using any of their personal information. So what if someone is storing your UUID? That's the whole point!

If you give them your name and email and bank account information, and they tie that in with your UUID, then you have bigger problems than your UUID being "uploaded".

Bullshit

"21 percent of official App Store apps uploaded the user's Unique Device Identifier"

In iOS 5.x it's impossible to read out the UDID.
Everybody still on 4.x should ask himself: Why?

Re:Getting device identifier != "stealing your dat

[AmiMoJo]

My biggest problem with it is that it isn't generally made clear to the user unless they go looking. It probably say something vague about sending some identifying data back deep in the EULA somewhere but IMHO companies should be much more up-front about what they are doing.

In particular instead of saying apps are "free" they should say "advertising supported" or "user tracking supported". As well as permission information the market/app store should say "tracks your device and app usage".

Re:Getting device identifier != "stealing your dat

[Rich0]

Allowing people to build huge databases of devices with unique IDs is not a good idea. This is just CPU ID all over again. It takes control over a user's privacy away from the user.

I'm fine with an API that assigns an app a unique ID on a particular phone, and which gives the user the ability to reset it to a new unique ID at any time, or force it to be a value of their own choosing. Oh, and two apps on the same phone get different IDs, and if you uninstall/reinstall the ID changes again. That makes the unique ID more like a session cookie, which I can see as having value for network-enabled apps.

Re:Getting device identifier != "stealing your dat

[dzfoo]

You didn't read the PDF of the experiment, did you? In there they explained the risk of the capturing the UDID.

The identifier by itself does not say much. However, most of the companies offering the frameworks are either advertising brokers, or affiliated to them, which then use the captured identifiers to correlate them with additional personally identifying information captured through other applications and services in order to build a profile of the user.

They give as an example AdMob, which is owned by Google. Wherein Google can easily capture the device ID of a GMail or Google+ user and associate it with their account. Then all apps using AdMob's advertising framework can report the device's ID, which can then be mapped in this database against a real user account.

          -dZ.