Unauthorized iOS Apps Leak Private Data Less Than Approved Ones

Sparrowvsrevolution writes "In the wake of news that the iPhone app Path uploads users' entire contact lists without permission, Forbes dug up a study from a group of researchers at the University of California at Santa Barbara and the International Security Systems Lab that aimed to analyze how and where iPhone apps transmit users' private data. Not only did the researchers find that one in five of the free apps in Apple's app store upload private data back to the apps' creators that could potentially identify users and allow profiles to be built of their activities; they also discovered that programs in Cydia, the most popular platform for unauthorized apps that run only on 'jailbroken' iPhones, tend to leak private data far less frequently than Apple's approved apps. The researchers ran their analysis on 1,407 free apps (PDF) on the two platforms. Of those tested apps, 21 percent of official App Store apps uploaded the user's Unique Device Identifier, for instance, compared with only four percent of unauthorized apps."

First thing..

[geogob]

...I did after jailbreaking my iphone was to install a firewall. The experience was quite interesting, allowing me to see exactly which apps tried to contact remote sites and which sites they attempted to contact. And, to my knowledge, the only external sites contacted by unofficial apps I've seen were related to ad content.

Access to private data on outside of the apps (calendar, contacts, etc.) should be controllable on an per app basis, just like with location service. And each app accessing this data should be carefully reverse engineered and analyzed to ensure it is safe.

Re:How about Android apps ?

[mjwx]

Anyone has done any research on Android apps, on the same topic ?

Actually, very few leak details.

Android applications have to ask permissions to get access to the internet or your personal details.

Well, did you accept the EULA?

[Kaenneth]

I actually read the EULA for the recent game "Civilization V", and it said they could take your contacts list, and share/sell it.
Fortunently Valve/Steam was nice enough to give a refund before I installed it when I complained about it "As a one-time courtesy" not as policy, I'm sad to say.
Particularly since the EULA wasn't available for viewing until after purchase.
http://forums.steampowered.com/forums/showthread.php?t=2109777 [steampowered.com]

Re:How about Android apps ?

[jschrod]

I can't count the amount of Android apps that I didn't install because they want to have r/w access to my contacts, even though they obviously don't need it for their functionality.

There are also too many apps that demand an Internet connectivity where I ask myself why. Or I had to deinstall apps where the background process keeps downloading data all the time that I only need on a holiday, but not now; and I found no way of disabling the background process short of deinstallation (without rooting the phone, then means are available).

So I'd say, Android has it's similar share of problems.

Re:How about Android apps ?

[cduffy]

I wish you could restrict internet access to specific domains and I also wish you could turn off specific permissions

CyanogenMod does this (allowing specific permissions to be rescinded).

Re:How about Android apps ?

[Rich0]

Read for yourself here. [cyanogenmod.com]

I think the issue is that many of the CM devs care about their reputation in the phone industry. They don't want to tick off vendors, or Google.