Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Yanks Privacy App From the App Store

Posted by timothy on from the earwigs-in-the-glass-garden dept.

wiredmikey writes "Back in May of this year, Internet security firm Bitdefender launched 'Clueful,' an iOS App that helps identify potentially intrusive applications and show users what they do behind their back, and giving users an inside look at all the information app developers can gather about a user. Seems legit, right? Apple doesn't think so. Or at least they have an issue with something behind the App that sparked them to pull it from the App Store. After initially reviewing and approving the App that was released on May 22, Apple has had a change of heart and has just removed the App from the AppStore. It's unclear [why it was yanked], and Bitdefender told SecurityWeek that the company is under NDA as far as explanations for the removal. Interestingly, Bitdefender did share some data that they gathered based on Clueful's analysis of more than 65,000 iOS apps so far, including the fact that 41.4 percent of apps were shown to track a user's location unbeknownst to them."

30 of 136 comments (clear)

  1. Apple is beside itself on this one. by sethstorm · · Score: 4, Insightful

    Sounds like Apple wants to be on both sides of their 1984 commercial. Not only do they want to be on the side that "is different" while being on the side that hates freedom and privacy.

    --
    Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
    1. Re:Apple is beside itself on this one. by zeroryoko1974 · · Score: 5, Insightful

      They want to be on the side that makes them billions of dollars a year

    2. Re:Apple is beside itself on this one. by Anonymous Coward · · Score: 3, Insightful

      doy

      sell someone an image to buy into and they become your slave

      Apple has been selling an image for a long time, hence all the "Religion of Steve" jokes

    3. Re:Apple is beside itself on this one. by tapspace · · Score: 4, Insightful

      Agreed... which if the average Joe valued his or her own privacy and freedom to control their own device, wouldn't be the side that makes billions of dollars a year. But unfortunately, Joe doesn't give a shit, so it is.

      I seriously hope you're not referring to android here. Yeah, I want my phone to a direct feed into the servers of the world's largest targeted marketing multinational. I have an iPhone specifically because it lacks Google integration. If the average Joe valued his or her privacy as much as this, he or she wouldn't own a smartphone at all.

    4. Re:Apple is beside itself on this one. by MrHanky · · Score: 4, Informative

      You could, of course, use Android without the Google integration (quite possible) or simply Something Else Entirely, like Meego, Symbian, Bada, WebOS, Blackberry or whatever. Choosing the iPhone for your privacy is just plain moronic.

  2. rotten by harvey+the+nerd · · Score: 3, Informative

    Somebody doesn't like potential victims to watch back. Wonder if this is really a rotten Apple, a big teleco-ISP, or perhaps NSA.

    1. Re:rotten by viperidaenz · · Score: 3, Interesting

      Why can't it be all 3? It definitely requires a rotten Apple though as they are doing the dirty work

    2. Re:rotten by RLBrown · · Score: 4, Insightful

      Dirty work? Do not be so sure. The article raises the possibility that Apple did not like the Clueful app because it discloses to users that some developers are in fact evil. But then this possibility is knocked down as not being likely. So we are left with a big question as to why the Clueful app was pulled. The most likely reason is that the app fell into a technical TOS violation, something that is prohibited but in this case would have in fact been okay. Perhaps because the app sends user data back to the developer? Even if that was done for benign and beneficial use, it could still be a TOS violation. Let's not conjure up headlines. I know a lot of developers do not like the walled garden, but after the "Find and Call" incident, maybe users view the wall in a different light.

      --
      -- Perhaps I see less than some, but more than many.
    3. Re:rotten by dracocat · · Score: 5, Interesting

      This is probably nothing more than the app had to have broken out of its sandbox. There should not have been a way for the app to monitor what other apps were doing without doing something disallowed by Apple.

      Not saying I don't want this app, or that some arrangement/exclusion shouldn't be reached by the two companies (perhaps with a code review to make sure everything they are doing outside of the sandbox is benign), but I don't think this is a big conspiracy.

      Just simply Apple continuing in its tunnel vision of not allowing apps full freedom on its phone.

      Would definitely install this app if it was brought back. Perhaps release code so we can install it ourselves?

    4. Re:rotten by MBCook · · Score: 3, Interesting

      That's kind of what I was wondering, unless the app is simply a searchable catalog of the apps they have previously studied.

      I'm curious how apps get your location without your knowledge? The first time an app asks you're supposed to get the location services popup, and whenever your location is being accessed you're supposed to get the little location arrow in the status bar at the top of the phone.

      As much as I love my iPhone, I'm glad to get Apple get embarrassed by some of this stuff. The fact that many games were taking your phonebook simply because they could and sending it to the developer's servers was insane.

      --
      Comment forecast: Bits of genius surrounded by a sea of mediocrity.
    5. Re:rotten by amicusNYCL · · Score: 3, Insightful

      The article raises the possibility that Apple did not like the Clueful app because it discloses to users that some developers are in fact evil.

      Wouldn't that be a good way to weed out those developers? You're suggesting that Apple may prefer that people don't know which developers are the evil ones?

      The most likely reason is that the app fell into a technical TOS violation

      Why is that the most likely reason, as opposed to Apple just not liking the transparency that the app provides?

      Perhaps because the app sends user data back to the developer?

      Plenty of apps do that. Bitdefender says that 20% of apps they've studied send user data to the internet without notifying the user.

      Let's not conjure up headlines.

      What choice do we have? Apple put Bitdefender under a NDA regarding the removal, and Apple themselves won't justify why they did it unless they're basically forced to. We have no choice but to speculate.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    6. Re:rotten by fustakrakich · · Score: 5, Insightful

      We have no choice but to speculate.

      Yep, and we should always assume the worst until they come clean. It's the only way to get a response.

      --
      “He’s not deformed, he’s just drunk!”
  3. Most of the app developers probably don't know by Anonymous Coward · · Score: 4, Insightful

    That the ad library they embed is tracking the user location.

    1. Re:Most of the app developers probably don't know by Kalriath · · Score: 3, Informative

      If you embed iAds, it actually doesn't require your permission - as the setting controlling whether iAds is allowed your location is actually buried under Location Services > System Services (yes, the advertising is a system service). Third party advertising kits (AdMob, etc) do require your permission.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  4. Sounds correct by freeweaver · · Score: 4, Insightful

    Of course, you understand this has nothing to do with privacy right? The app was pulled because it didn't conform to our freedom respecting terms & conditions.

    That is, our freedom to collect all your data.

  5. NDA What? by sir-gold · · Score: 4, Insightful

    What kind of NDA do they have that keeps them from saying why it was pulled? (or do they have a "fight club" NDA prohibiting them from talking about the NDA?)

    Does Apple make every iOS developer sign an NDA, or only the security researchers.

    Something doesn't add up here.

    1. Re:NDA What? by Anonymous Coward · · Score: 3, Interesting

      The Federal government routinely (anymore) uses National Security Letters to shred the entire Bill of Rights, and one of the provisions of NSLs is an NDA. After the Patriot Act was passed, anyone violating that NDA risked going to prison. Today, they can just disappear.

      I small a rotten fish, not Apple, at the core of this particular "incident", a rotten fish wrapped in an old Washington Post newspaper, if you know what I mean.

    2. Re:NDA What? by stephanruby · · Score: 3, Informative

      Well technically, the NDA has been dropped, but...

      Relenting to pressure from the developer community, Apple has dropped the NDAs that developers were required to agree to when they submitted their applications for consideration on the iPhone App Store.

      In a statement on its Web site, Apple states, "The NDA has created too much of a burden on developers, authors and others interested in helping further the iPhone's success, so we are dropping it for released software."

      The previous version of the NDA required that a developer not discuss the reasons that its app may have been declined, and restricted developers from publicly rebutting Apple's refusal or dissecting the denial notification that Apple sent them. The revised NDA allows developers to publicly comment on the reasons their app was accepted or declined, and it allows developers to state that they've submitted an app for consideration--but unreleased software currently under review is still covered by the NDA, and Apple has asked developers not to comment on applications currently being considered for the App Store.

      http://www.pcmag.com/article2/0,2817,2331498,00.asp

      ...but as the New York Times knows already (and every news outlet knows as well). There does not need to be an NDA in place for Apple to place you permanently in their penalty box.

      So I'd say the Bitdefender company definitely made the right call on this one, especially if it intends to have continued special access to the Apple ecosystem. The huge beast is quick-tempered and bears long grudges. It's best to say nothing that could potentially upset it.

  6. Uunbeknownst? by Anubis+IV · · Score: 3, Informative

    including the fact that 41.4 percent of apps were shown to track a user's location unbeknownst to them.

    Unless they're doing something shady with private APIs or the like, I don't see how this is possible considering an app has to ask permission to enable location tracking, and the user can both see which applications they've granted it to and which ones have used it in the last 24 hours by going to their general settings.

    I think what they really mean is, "We have nothing to lose after having our app pulled, so let's burn bridges by pretending that user's don't explicitly give permission for location tracking and saying that every app that tracks location is doing it behind the user's backs."

    Also, what's up with both links in the summary going to the same article?

  7. Who's that? by Sponge+Bath · · Score: 5, Funny

    That's Clueful, he fights for the iUsers.

  8. Re:Sounds like scare-ware to me by Anonymous Coward · · Score: 5, Insightful

    The problem with this sort of app is it is delivering information based on some probing and some guesses but has no idea what is being done with the information. Not knowing anything about Clueful I can only guess they are looking for API calls that would tend to indicate certain behaviors are present in an app.

    The first caution therefore is that because an API call is present in an app there is nothing whatsoever to indicate when or how it is being used, if it is being used at all. Therefore we are talking about possibilities and potentialialities, not facts.

    Emphasis mine. There is no problem with this sort of application. This is exactly the reason the application exists, to inform you that you have no idea what is being done with the information.

    Seems like you're either a shill, or completely missed the point that such applications and users of such applications have a desire to know more (than apparently 40% of the other applications aren't telling).

  9. Re:Sounds like scare-ware to me by Halo1 · · Score: 5, Insightful

    The problem with this sort of app is it is delivering information based on some probing and some guesses but has no idea what is being done with the information. Not knowing anything about Clueful ...

    Not knowing anything about Clueful, you spend 5 paragraphs criticising the developers of that application for presenting information that may not be 100% correct. You need to look up the definition of "irony" and do it fast, because I feel a new one is in the making.

    --
    Donate free food here
  10. Re:Not what I signed up for by Anonymous Coward · · Score: 5, Informative

    Even without the app, after I JB-ed my device and started running PMP (Protect My Privacy), and Firewall IP, two apps available from Cydia, it was an eye-opener.

    I ran a news app. It connected to an insane amount of ad, behaviorial targeting, monitoring, tracking, and other sites that had zilch to deal with news, and all to deal with obtaining what the user has. Eventually, I just allowed it to connect to its own sites and blacklisted everything else.

    I fired up another app. It didn't just want contacts, it wanted in one's music collection, and connected to all kinds of sites, none relevant in any way to what it was doing.

    Apple needs to revisit iOS's security model. Because Apple does a damn good job at stopping most stuff before it gets on the App Store, it has kept people safe for a while. However, iOS's security allows an app to do what it wants to except delete pictures once it gets installed on the device. The only time a user would get prompted is if the device was using the GPS or was going to use notifications. Other than that, it could slurp the contact list and use the phone as an outgoing spam machine.

  11. Walled Garden by Adrian+Lopez · · Score: 4, Insightful

    I'm not at all unsympathetic, but that's what you get when you develop for a "curated" platform.

    --
    "In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
  12. Re:preface: I'm not an IOS programmer... by Anubis+IV · · Score: 4, Informative

    Yes, they have to ask. The prompt is generated automatically in response to their request for location data, as you suggested, and suppressing it would do no good, since apps are sandboxed, meaning that they have no other recourse if the user denies the prompt or never sees it in the first place. I'm not aware of any way around it, and I seriously doubt there's a way around that's in use by a double-digit percentage of apps but has not yet been discovered by Apple and eliminated.

  13. Re:Sounds like scare-ware to me by jmerlin · · Score: 3, Interesting

    It doesn't matter. Perhaps this tool doesn't go far enough. DTrace provides you direct insight into what's going on, and you have access to enough syscalls to actually figure out what's being done with information, too. I'd love a full DTrace on my iPhone and an app that's set up to periodically watch apps to see if they're doing anything weird. I audit software like this on my Linux and Windows systems ALL the time. I've even made basic binary instrumentation tools to automatically instrument binary libraries (imports/exports) to get more application-specific information. It's amazing to see what some applications do with your information. Unless we require software vendors to disclose every I/O action that a piece of software can possibly make (and what the purpose of such an action is) truthfully, which will never be a requirement, we need tools like this. The certainty is a non-factor. It simply shows you that an application accesses something.

    For instance, if my instant messaging program is accessing my recent internet history from Internet Explorer or Chrome, I'm going to get really, REALLY skeptical that it has any business whatsoever looking at that. It doesn't matter if there's a legitimate reason for it.

  14. Re:Not what I signed up for by Kalriath · · Score: 3, Informative

    Access to contacts actually requires explicit authorisation too now. In the next software release anyway.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  15. Re:preface: I'm not an IOS programmer... by Kalriath · · Score: 3, Insightful

    The exception is if they have iAds embedded, as iAds has location services enabled for it specifically. He was probably seeing the results of the iAds system pulling location details so it can get location-based adverts.

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  16. Re:unbeknownst to them? by Kalriath · · Score: 3, Informative

    Not entirely. iAds can get your location without permission because it has a completely separate pre-approved entry under System Services to do it. So if the app uses iAds, it will appear to get your location without asking for it (even though only iAds has access to it).

    --
    For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  17. Interesting by wzinc · · Score: 3, Interesting

    "The fact that 41.4 percent of apps were shown to track a user's location unbeknownst to them."

    ...because iOS always asks on the first location look-up and it always shows the arrow/gps icon in the upper right. Also, you can shut off GPS app-by-app or for all in the prefs. If apps are somehow going around Apple's only way to access the GPS, they wouldn't be approved; this is impossible. Obviously, if BitDefender's app can tell that easily, Apple's screening process would detect a private API GPS call, and flag the app. A few falling through the cracks is one thing, but 41.1% is some type of sensationalism or scare-mongering (i.e. a lie). The only possibility of any truth is that "bad" apps send-out the wifi base station name or IP address and get a general location from that. They're not accessing the GPS without permission.