Forgot your password?
typodupeerror
IOS Iphone Privacy Software Apple

Unauthorized iOS Apps Leak Private Data Less Than Approved Ones 179

Posted by Soulskill
from the curated-for-a-different-purpose dept.
Sparrowvsrevolution writes "In the wake of news that the iPhone app Path uploads users' entire contact lists without permission, Forbes dug up a study from a group of researchers at the University of California at Santa Barbara and the International Security Systems Lab that aimed to analyze how and where iPhone apps transmit users' private data. Not only did the researchers find that one in five of the free apps in Apple's app store upload private data back to the apps' creators that could potentially identify users and allow profiles to be built of their activities; they also discovered that programs in Cydia, the most popular platform for unauthorized apps that run only on 'jailbroken' iPhones, tend to leak private data far less frequently than Apple's approved apps. The researchers ran their analysis on 1,407 free apps (PDF) on the two platforms. Of those tested apps, 21 percent of official App Store apps uploaded the user's Unique Device Identifier, for instance, compared with only four percent of unauthorized apps."
This discussion has been archived. No new comments can be posted.

Unauthorized iOS Apps Leak Private Data Less Than Approved Ones

Comments Filter:
  • Profit. (Score:5, Insightful)

    by Anonymous Coward on Wednesday February 15, 2012 @01:19AM (#39041551)

    In other words, applications developed by people interested in profit are more likely to steal your data.

    Hopefully this does not come as a shock to most slashdotters.

    • by sarysa (1089739) on Wednesday February 15, 2012 @02:22AM (#39041825)
      I know that there is a considerable off-grid contingent on /., but I don't get why people use getting unique device identifier (UDID) as an example of stealing user data. It isn't hacking or anything -- it's a public API usable by any app writer. If it weren't acceptable to use, Apple wouldn't allow apps which access the UDID onto their store.

      There are a large number of practical applications for the UDID, ranging from the more user friendly uses such as automatic backup of app-specific data (i.e. game save), to mutually beneficial things like incentivization schemes, to features less popular to the user but necessary to make free content financially viable, i.e. targeted advertising.

      Whenever I rail against Apple around here, people always bring up the concept that most people just want their device to be an applicance, and don't want to care about the internals. This comes with said blissful ignorance. But those 20% of apps passing data back home aren't stealing anything -- they're just using another tool to profit in the modern mobile space. More than 99% of that 20% is sending no more than the UDID and data specific to the application itself. Stealing would be to somehow get the user's underlying iTunes account info and buying stuff with it. (though what Path was doing is a bit of a mess, heh...)
      • by AmiMoJo (196126)

        My biggest problem with it is that it isn't generally made clear to the user unless they go looking. It probably say something vague about sending some identifying data back deep in the EULA somewhere but IMHO companies should be much more up-front about what they are doing.

        In particular instead of saying apps are "free" they should say "advertising supported" or "user tracking supported". As well as permission information the market/app store should say "tracks your device and app usage".

        • by Fnord666 (889225)

          In particular instead of saying apps are "free" they should say "advertising supported" or "user tracking supported".

          When it comes to mobile apps, I think that if you see the former, you should assume at least one of the latter.

      • How about we rephrase it as "Getting your name"?

        Maybe my betters know why it needs to be a Unique Device ID, but the privacy problems are growing because Unique ID Data all link to itself and it's only smoke and mirrors keeping it all from crashing in. Look at the mess the Social Security Number is in. "For your security, let's have the Last 4 of your Social and thanks to Facebook, your Mother's Maiden Name."

        So somewhere either now or later, someone will have a database of phone Unique Device ID's to Names.

      • by Rich0 (548339)

        Allowing people to build huge databases of devices with unique IDs is not a good idea. This is just CPU ID all over again. It takes control over a user's privacy away from the user.

        I'm fine with an API that assigns an app a unique ID on a particular phone, and which gives the user the ability to reset it to a new unique ID at any time, or force it to be a value of their own choosing. Oh, and two apps on the same phone get different IDs, and if you uninstall/reinstall the ID changes again. That makes the

        • by tqk (413719)

          This is just CPU ID all over again. It takes control over a user's privacy away from the user.

          Yes. These are "free" apps. Not News: corporations aren't the only predatory entities out there. There's still individuals mugging and raping people all on their own.

          Windows has viruses and trojans, iBaubles do the same thing in different ways 20% of the time. Who knew?!? :-O

          Tell your friends: free is not necessarily equal to benign. Even FLOSS advocates learned that a long time ago. You go with your distro's software repository, not just random tarballs you stumble across and hope for the best.

          Appare

      • by dzfoo (772245)

        You didn't read the PDF of the experiment, did you? In there they explained the risk of the capturing the UDID.

        The identifier by itself does not say much. However, most of the companies offering the frameworks are either advertising brokers, or affiliated to them, which then use the captured identifiers to correlate them with additional personally identifying information captured through other applications and services in order to build a profile of the user.

        They give as an example AdMob, which is owned b

      • Apple wouldn't allow apps which access the UDID onto their store.

        Apple has removed UUID from the public API starting in iOS 5. The problem is that Apple has already allowed apps which use UUID into their store.

        It's still possible to read the wireless MAC address, so identifying individual iPads and users is still possible.

    • Yep, not surprised one bit. This is part of the reason I use FOSS apps wherever possible.

      And this is a big part of the motivation to "appify" everything - to break the inherent sandboxing ability of a browser, to get direct access to all your personal data.

    • by morgauxo (974071)
      Lots of stuff in Cydia isn't free. In fact some of it is pretty expensive.
  • Clearly, there seems to be a need for a privacy firewall, that will filter all data on a computer system, somewhat like the military 'data-diodes'.
    • by mehrotra.akash (1539473) on Wednesday February 15, 2012 @01:31AM (#39041619)
      Or atleast a virtual "profile" with random data in it, and while launching apps, you should be able to choose which data you want to give it access to
  • by mehrotra.akash (1539473) on Wednesday February 15, 2012 @01:26AM (#39041583)
    App store: Apple certifies app, people trust Apple, people download app, app creators can take advantage to get user data, unlikely to be caught
    Cydia: No certification, people are more likely to look at what the app is doing(also because someone who uses Cydia has a higher probability of knowing how to look at it), app creators more careful to not get a bad reputation
    • by MogNuts (97512)

      Exactly.

      "B-b-but but Apple stuff doesn't get viruses/malware/trojans!"

      Make no mistake, this is what trojans are and what they do. I wonder how many of those take more than just the unique ID (see path silently stealing customer address books). There was an article a while mentioning the amount.

      I'm surprised the "carefully curated" meme gets passed along here at slashdot with so many people who should know better. And I love to see those knocking Android saying it has malware. Ever notice that those articles

      • by jo_ham (604554)

        Not that I disagree with the UAC model that Android uses per se, but with your final sentence you're equating apps being able to send your UDID to the developer with a virus?

        Let's ignore the fact that, assuming the comparisons were valid it would be a trojan and not a virus, I'm not sure you can logically make the argument that apps on the iOS app store using one of Apple's own APIs to identify the client handset is equivalent to those apps being classed as viruses and malware.

        Malware would be an app that h

        • by MogNuts (97512)

          Let me first precede in that I do appreciate your well thought and detailed reply.

          Not that I disagree with the UAC model that Android uses per se, but with your final sentence you're equating apps being able to send your UDID to the developer with a virus?

          It states right in the article that in addition to the ID, location data is stolen and so is your contact list. You don't call that a trojan/virus/malware? In addition, it was found that 3 apps on the App Store even record ambient room audio without your knowledge (article a month or two back). That is the absolute utmost of vile malware.

          Let's ignore the fact that, assuming the comparisons were valid it would be a trojan and not a virus, I'm not sure you can logically make the argument that apps on the iOS app store using one of Apple's own APIs to identify the client handset is equivalent to those apps being classed as viruses and malware.

          See above. In addition, Apple's official policy flat out refuses apps to give out locatio

  • Methodology? (Score:3, Interesting)

    by tartles (2540270) on Wednesday February 15, 2012 @01:32AM (#39041623)
    I checked the source publication and the following paragraph describes how they chose the apps:

    Since iTunes does not support direct searches for free ap- plications, we rely on apptrakr.com [2] to provide a contin- uously updated list of popular, free iOS applications. Once a new application is added to their listings, our system au- tomatically downloads the application via iTunes and de- crypts it. Subsequently, the application is analyzed with PiOS.

    I didn't see anything that described how they chose the Cydia apps however. I bring this up because there are numerous very popular Cydia apps that are simply iOS tweaks that adjust a piece of the interface or something similar. These apps would intuitively be less likely to require any sort of user information at all, so I'm not sure how much I trust these results.

    • by Calos (2281322)

      Fair point, I guess the questions hinges on what constitutes an "app." To me, a UI modification or tweak isn't an app. Whether or not the 'researchers' believe the same is the question.

      • by ClintJCL (264898)
        But a UI modification app, whether or not you think it is an app -- if it's something that you download, install, and run -- then it's something that has the potential to send private user data. Just because it's less likely to doesn't mean it shouldn't be examined or counted; that's like saying that Solitaire apps are less likely to use network traffic than Online Chat apps, and thus measuring them messes up the methodology. How about we just measure what is out there?
  • Malware vs. virii (Score:2, Insightful)

    by aaronb1138 (2035478)

    This reminds me a bit of the early days of spyware and malware when anti-virus companies were behind the curve and tried to write off that since malware was typically installed with user consent, they weren't responsible for scanning, detecting, and removing it. Apple is doing the same, but without even saying it's not their responsibility. Instead, they keep giving consumers the false belief in the safety of the walled / curated garden. An oddity to be noted as well is that the Apple store has actually

    • by mjwx (966435)

      This reminds me a bit of the early days of spyware and malware when anti-virus companies were behind the curve and tried to write off that since malware was typically installed with user consent, they weren't responsible for scanning, detecting, and removing it. Apple is doing the same, but without even saying it's not their responsibility. Instead, they keep giving consumers the false belief in the safety of the walled / curated garden.

      This isn't entirely accurate. Apple have taken responibilty for scann

  • by Petersko (564140) on Wednesday February 15, 2012 @01:53AM (#39041735)
    I hope the programmers among us actually read some of this study before chiming in based on it's veracity... I'm just a few pages in and alarm bells are going off all over the place.
    • by dzfoo (772245)

      Can you elaborate? I am a programmer, and I read the PDF provided in the article. My conclusion is that they did a very clever job in creating a mechanism that could statically analyse the code and determine with some degree of certainty that some functions where accessing what they considered to be personal information; and then transmitted this over the wire. It is clever because, due to its complex and dynamic nature, the Objective-C runtime does not make static analysis easy or practical.

      They also me

  • by hcs_$reboot (1536101) on Wednesday February 15, 2012 @02:06AM (#39041789)
    You know MobileMe / iCloud of course: knowing an App store email address and its password, gives you access to the following: where is the iPhone/user at anytime, contacts list, emails ... among others. Pretty important data.
    So, in the subway/room... you enter your password to download an App, and someone may see and remember the credentials. It may happen, and? Gmail, for instance, allows you to get the list of the recent accesses to your account.
    Apple App Store, MobileMe? Nothing. There is absolutely no way to determine if someone else accesses your account unless the other guy changes/order something. The only solution according to Apple is "Change your password". That case happened to a friend of mine who is not much in IT, and got suspicious after a few coincidences of interest. Considering the weight of iCloud and MobileMe, some more data protection is needed from Apple.
  • First thing.. (Score:5, Informative)

    by geogob (569250) on Wednesday February 15, 2012 @02:29AM (#39041859)

    ...I did after jailbreaking my iphone was to install a firewall. The experience was quite interesting, allowing me to see exactly which apps tried to contact remote sites and which sites they attempted to contact. And, to my knowledge, the only external sites contacted by unofficial apps I've seen were related to ad content.

    Access to private data on outside of the apps (calendar, contacts, etc.) should be controllable on an per app basis, just like with location service. And each app accessing this data should be carefully reverse engineered and analyzed to ensure it is safe.

    • Re: (Score:3, Insightful)

      by mjwx (966435)

      Access to private data on outside of the apps (calendar, contacts, etc.) should be controllable on an per app basis, just like with location service.

      You mean the way Android does it? By listing the permissions the application has asked for when you install it.

      It wouldn't be the first thing they slavishly copied from Android (*cough*notification menu*cough*)

      And each app accessing this data should be carefully reverse engineered and analyzed to ensure it is safe.

      Good luck with that.

      Companies will object to their proprietary code and secrets being examined, users will scream until they get their fart apps.

      • by geogob (569250)

        You mean the way Android does it? By listing the permissions the application has asked for when you install it.

        It wouldn't be the first thing they slavishly copied from Android (*cough*notification menu*cough*)

        First, I don't think it's anyway relevant who did it before. And if someone did it and it worked well, than I sure do hope so they will copy it.
        I'm really getting tired to read comments like these parallel to comments against intellectual property, patent trolling, etc.

        Companies will object to their proprietary code and secrets being examined, users will scream until they get their fart apps.

        You don't have to have access to the code to reverse engineer a program. In fact, if you have access to the source code, I wouldn't call it reverse engineering at all. Reverse engineering what a program does, in the context of network communi

      • by Rich0 (548339)

        You mean the way Android does it? By listing the permissions the application has asked for when you install it.

        The android solution is pretty lousy. If you want to use Facebook, then you have to use their app. So, Android just tells you how much they're raping you before they go ahead and do it. If you want to be out of touch you always have that option.

        The solution is to let users opt out of individual permissions, and for it not to be possible for an app to detect that this is happening. The only effective solution I've seen for this is LBE Privacy Guard. Cyanogenmod grudingly added a similar feature, but it

  • by Kaenneth (82978) on Wednesday February 15, 2012 @02:58AM (#39041971) Homepage Journal

    I actually read the EULA for the recent game "Civilization V", and it said they could take your contacts list, and share/sell it.
    Fortunently Valve/Steam was nice enough to give a refund before I installed it when I complained about it "As a one-time courtesy" not as policy, I'm sad to say.
    Particularly since the EULA wasn't available for viewing until after purchase.
    http://forums.steampowered.com/forums/showthread.php?t=2109777 [steampowered.com]

    • Some PC games will scrape your browser history, such as NFS:Shift. They'll actually use it to adjust the in-game advertising.

  • Wait, what? (Score:2, Insightful)

    by Anonymous Coward

    The whole idea of the device UUID is to create a primary key for users without actually using any of their personal information. So what if someone is storing your UUID? That's the whole point!

    If you give them your name and email and bank account information, and they tie that in with your UUID, then you have bigger problems than your UUID being "uploaded".

  • Bullshit (Score:2, Interesting)

    by Anonymous Coward

    "21 percent of official App Store apps uploaded the user's Unique Device Identifier"

    In iOS 5.x it's impossible to read out the UDID.
    Everybody still on 4.x should ask himself: Why?

    • In addition, the UDID is not a big threat in terms of "personal data." It is nothing more than a serial number of the device. Big-fucking-whoop. So you got my serial number; I couldn't care less. The number leaking actual personal data is more like 0.0000001%.
  • The analysis was great. They used some very clever techniques, and wrote it up thoroughly.

    The reporting is absurdly overhyped, with statements like "one in five of the free apps in Apple's app store upload private data back to the apps' creators " Almost all of the "privacy leaking" was simply apps capturing device ID's (UDID), which is routine piece of data collected for issue resolution, and isn't "privacy" any more than a web server logging your IP address is violating your privacy. If you're worried abo

    • I wish I had mod points to bump you up. The UDID is nothing more than a device serial number. That is not personal data. Of course all the haters will scream, "See, Apple is evil!" Over-hyped nonsense.
      • I'm not so sure about UDID giving away no more privacy than IP.

        IP doesn't identify a single device, thanks to NATs and dynamic pools and conversely same device isn't bound to single IP, it's many to many relation. To track someone specific you need more than his IP, like a cookie, for example. And many indeed disable browser cookies for this very reason, just as you propose.

        UDID, on the other hand, is a strict one to one relation, it's unchangeable, linked to single device and can't be disabled. UDID is much better suitable for tracking and collating info across different sources. Add a little bit more, and you're tracking a user even after a new phone purchase.

        • I'm not so sure about UDID giving away no more privacy than IP.

          IP doesn't identify a single device, thanks to NATs and dynamic pools and conversely same device isn't bound to single IP, it's many to many relation. To track someone specific you need more than his IP, like a cookie, for example. And many indeed disable browser cookies for this very reason, just as you propose.

          UDID, on the other hand, is a strict one to one relation, it's unchangeable, linked to single device and can't be disabled. UDID is much better suitable for tracking and collating info across different sources. Add a little bit more, and you're tracking a user even after a new phone purchase.

          If only a UDID is extracted, you are tracking a SERIAL NUMBER only - not a person.

          • by unity100 (970058)

            if you track a 'serial number' of a device enough, you can easily map the tracked to particular persons after you amass a certain size of data. this is what websites are doing.

            • if you track a 'serial number' of a device enough, you can easily map the tracked to particular persons after you amass a certain size of data. this is what websites are doing.

              Perhaps if the application is a web browser, that would mean something, but I can't imagine too many people using an alternate web browser. With any other app, you get the fact that they used your own app only - perhaps multiple apps if you make them. If no OTHER data is leaked, you get nothing else.

      • by Pope (17780)

        My Address Book information is personal data. This is less an Apple problem than an Evil Developer problem: they're the ones stealing contacts without asking.

        Hell, why does Angry Birds need my Location Services info?

        • My Address Book information is personal data. This is less an Apple problem than an Evil Developer problem: they're the ones stealing contacts without asking.

          Hell, why does Angry Birds need my Location Services info?

          No shit your Address Book is personal data and any Dev stealing that is evil. My point was that the article says 21% "steal" the UDID, which is just a serial number, not personal data. My guess on Angry Birds is they have a geography-based leaderboard you can check out (I know an air-traffic controller game that does).

        • Hell, why does Angry Birds need my Location Services info?

          If you're referring to ad-supported "free" games, I imagine that the app's sponsors want to show you ads for local businesses near your location, not on another continent.

    • Almost all of the "privacy leaking" was simply apps capturing device ID's (UDID), which is routine piece of data collected for issue resolution, and isn't "privacy" any more than a web server logging your IP address is violating your privacy.

      Bad analogy, an IP only identifies a particular internet connection, and if you have a dynamic IP that doesn't even mean much. The iShiny's UUID is more like the mobo serial number on a PC.

      • by jo_ham (604554)

        Ok, its more like the MAC address. (yes, yes, I know you can change that on most network devices)

        The point is the story is enormous overhype designed to make Apple look bad, since the classification of the UDID being "private data" inflates the numbers and the use of the term "leak" in the headline is grossly misleading, since there's an API for determining the UDID in iOS.

        I might as well say my ip address is being "leaked" onto the internet when I go to "whatismyip.com".

        The study *did* identify some actual

        • Apple's UDID is at least as permanent as a mobo serial, even a MAC address is much less personal and easy to change. It's device-unique and can't be changed, I'd say it's quite fair to call it personal info.

  • how badly the european style privacy and 'forget me' laws were necessary.

"The pyramid is opening!" "Which one?" "The one with the ever-widening hole in it!" -- The Firesign Theatre

Working...