Slashdot Mirror

← Back to Stories (view on slashdot.org)

Unauthorized iOS Apps Leak Private Data Less Than Approved Ones

Posted by Soulskill on from the curated-for-a-different-purpose dept.

Sparrowvsrevolution writes "In the wake of news that the iPhone app Path uploads users' entire contact lists without permission, Forbes dug up a study from a group of researchers at the University of California at Santa Barbara and the International Security Systems Lab that aimed to analyze how and where iPhone apps transmit users' private data. Not only did the researchers find that one in five of the free apps in Apple's app store upload private data back to the apps' creators that could potentially identify users and allow profiles to be built of their activities; they also discovered that programs in Cydia, the most popular platform for unauthorized apps that run only on 'jailbroken' iPhones, tend to leak private data far less frequently than Apple's approved apps. The researchers ran their analysis on 1,407 free apps (PDF) on the two platforms. Of those tested apps, 21 percent of official App Store apps uploaded the user's Unique Device Identifier, for instance, compared with only four percent of unauthorized apps."

5 of 179 comments (clear)

  1. Profit. by Anonymous Coward · · Score: 5, Insightful

    In other words, applications developed by people interested in profit are more likely to steal your data.

    Hopefully this does not come as a shock to most slashdotters.

    1. Re:Profit. by Anonymous Coward · · Score: 5, Insightful

      Don't be obtuse. Whatever your stance on obtaining a copy of a more or less freely available* item of media, it's completely different from obtaining data about an individual without their consent. One is a civil issue dependent on the current legal and moral standings of the notion of copyright (which is far from universal or constant), the other is a privacy issue.

      *as in, available to anyone willing to pay

  2. First thing.. by geogob · · Score: 5, Informative

    ...I did after jailbreaking my iphone was to install a firewall. The experience was quite interesting, allowing me to see exactly which apps tried to contact remote sites and which sites they attempted to contact. And, to my knowledge, the only external sites contacted by unofficial apps I've seen were related to ad content.

    Access to private data on outside of the apps (calendar, contacts, etc.) should be controllable on an per app basis, just like with location service. And each app accessing this data should be carefully reverse engineered and analyzed to ensure it is safe.

  3. Well, did you accept the EULA? by Kaenneth · · Score: 5, Informative

    I actually read the EULA for the recent game "Civilization V", and it said they could take your contacts list, and share/sell it.
    Fortunently Valve/Steam was nice enough to give a refund before I installed it when I complained about it "As a one-time courtesy" not as policy, I'm sad to say.
    Particularly since the EULA wasn't available for viewing until after purchase.
    http://forums.steampowered.com/forums/showthread.php?t=2109777

  4. Re:How about Android apps ? by lordbah · · Score: 5, Interesting

    I've tried to discuss the permissions they require with some Android app makers but I've never gotten anywhere. It usually goes something like this:

    I inquire as to why an article reading app would need permission to use my camera. They say the app has a function to take pictures and submit them. I say I don't currently have any interest in doing that - can't they have a base app which doesn't require that permission, and then for those who want to do something like that, have an add-on app which does require that permission? They tell me that Android permissions don't work that way. I tell them that I won't be installing their app.

    or

    I ask why a game wants access to my contact list and permission to make phone calls. They tell me it's just for a "friends" function, and they only want to read my phone's ID, they promise they would never do anything unwanted. I say I don't trust you that much yet, can't you have a version which doesn't require those permissions, and over time maybe I will come to trust you and then I can install the full version? They tell me that Android permissions don't work that way.

    or

    I ask why a streaming music app would need permission to "send email without my knowledge" or access my calendar. They say the app has the ability to share stations with my friends, "entirely under your (my) control", and display ads with a button which can add an event (concert presumably) to my calendar. I ask why then they would need to be able to do these things "*without my knowledge*". They say thank you, come again. I say I won't be installing your app then.

    So I would say the permissions are nice in theory but in practice many app developers are not willing to finely tune them and either unwilling or unable because of (they claim) platform restrictions to provide variants of the app with different functionality and different permission requirements.

    I have no experience with iOS so I can't say anything about that.