Unauthorized iOS Apps Leak Private Data Less Than Approved Ones 179
Sparrowvsrevolution writes "In the wake of news that the iPhone app Path uploads users' entire contact lists without permission, Forbes dug up a study from a group of researchers at the University of California at Santa Barbara and the International Security Systems Lab that aimed to analyze how and where iPhone apps transmit users' private data. Not only did the researchers find that one in five of the free apps in Apple's app store upload private data back to the apps' creators that could potentially identify users and allow profiles to be built of their activities; they also discovered that programs in Cydia, the most popular platform for unauthorized apps that run only on 'jailbroken' iPhones, tend to leak private data far less frequently than Apple's approved apps. The researchers ran their analysis on 1,407 free apps (PDF) on the two platforms. Of those tested apps, 21 percent of official App Store apps uploaded the user's Unique Device Identifier, for instance, compared with only four percent of unauthorized apps."
Profit. (Score:5, Insightful)
In other words, applications developed by people interested in profit are more likely to steal your data.
Hopefully this does not come as a shock to most slashdotters.
Its a matter of who does the verification (Score:5, Insightful)
Cydia: No certification, people are more likely to look at what the app is doing(also because someone who uses Cydia has a higher probability of knowing how to look at it), app creators more careful to not get a bad reputation
Malware vs. virii (Score:2, Insightful)
This reminds me a bit of the early days of spyware and malware when anti-virus companies were behind the curve and tried to write off that since malware was typically installed with user consent, they weren't responsible for scanning, detecting, and removing it. Apple is doing the same, but without even saying it's not their responsibility. Instead, they keep giving consumers the false belief in the safety of the walled / curated garden. An oddity to be noted as well is that the Apple store has actually moved mainstream consumers farther into the reliance on the vendor for repairs. While most telcos will tell users to backup their data as best they can and perform a wipe on Android, most iPhone users I have supported have told me stories about waiting as much as a couple hours to get an Apple Geek to wipe their phone.
This is a nice companion piece from Forbes to the article on iOS crash rates versus Android.
On a sideways note, most /.ers realized long ago that as OSX continues to increase in market share, they will become the target for virus writers. I sincerely doubt Apple's sandbox for apps will do much to stop them. If anything, the sandbox makes it harder to find a well concieved malicious program.
Re:Profit. (Score:5, Insightful)
Don't be obtuse. Whatever your stance on obtaining a copy of a more or less freely available* item of media, it's completely different from obtaining data about an individual without their consent. One is a civil issue dependent on the current legal and moral standings of the notion of copyright (which is far from universal or constant), the other is a privacy issue.
*as in, available to anyone willing to pay
Re:Profit. (Score:3, Insightful)
Arguably, they're stealing your privacy -- or at least stripping you of it.
The same is not always true with a movie: I'm not depriving them of the movie, or even likely to spoil it for anyone else, and I'm not depriving them of profits they would otherwise have had I paid for the movie (simply because I will not buy a movie). (I do, however, go to many movies when they hit the cheap theater in town. Mostly I like the popcorn. That shit costs twice what the movie ticket costs, though.)
Data Privacy? What about that? (Score:5, Insightful)
So, in the subway/room... you enter your password to download an App, and someone may see and remember the credentials. It may happen, and? Gmail, for instance, allows you to get the list of the recent accesses to your account.
Apple App Store, MobileMe? Nothing. There is absolutely no way to determine if someone else accesses your account unless the other guy changes/order something. The only solution according to Apple is "Change your password". That case happened to a friend of mine who is not much in IT, and got suspicious after a few coincidences of interest. Considering the weight of iCloud and MobileMe, some more data protection is needed from Apple.
Getting device identifier != "stealing your data" (Score:5, Insightful)
There are a large number of practical applications for the UDID, ranging from the more user friendly uses such as automatic backup of app-specific data (i.e. game save), to mutually beneficial things like incentivization schemes, to features less popular to the user but necessary to make free content financially viable, i.e. targeted advertising.
Whenever I rail against Apple around here, people always bring up the concept that most people just want their device to be an applicance, and don't want to care about the internals. This comes with said blissful ignorance. But those 20% of apps passing data back home aren't stealing anything -- they're just using another tool to profit in the modern mobile space. More than 99% of that 20% is sending no more than the UDID and data specific to the application itself. Stealing would be to somehow get the user's underlying iTunes account info and buying stuff with it. (though what Path was doing is a bit of a mess, heh...)
Re:Profit. (Score:5, Insightful)
I couldn't decide whether to mod you 'Overrated' (because I think you might actually believe what you're saying and are therefore not a Troll or Flamebait) or 'Funny' (because I can't figure out how exactly you're equating the two and it may well be a joke).
So, instead, you get this reply.
Now, understand that this doesn't come from someone who "claim(s) that pirating movies isn't stealing," though I do believe in the right to privacy. Maybe because of that, I don't see your insight into the matter (but apparently as you don't believe both, maybe you don't either). But I'm curious about why you see these things as the same, and why you think that there is an apparently significant intersection between the group that considers downloading movies not to be stealing and the group interested in privacy.
You imply that a reproductions of the Mona Lisa and the details of your life, financial situation, activities, interests, online pseudonyms, and whereabouts are the same. Either you believe that I should be able to search for 'SiMac' on, say, the Pirate Bay and download this information same as I would a movie, or you don't. Which is it?
Because even though I don't think that people should 'pirate' movies and I think I should have a right to privacy - I wouldn't equate the two. Why do you?
Re:Data wants to be free (Score:4, Insightful)
And also completely defeating the purpose of the current system, disrupting the entire ecosystem. There's a chain, here: the app developers include these permissions so that they can profit from providing a free-to-download-app by serving ads, the ads paid for by those believing that they're targeting ads to those most likely to buy their product/service. If the users disrupt the data stream with 'dummy' data, the ad providers don't know how well they're targeting the ads, and the value to the ad purchasers diminishes.
Not that I don't agree (and use software which lets me do the same on an Android phone) but the implications, when applied globally, greatly change the landscape.
Re:First thing.. (Score:3, Insightful)
Access to private data on outside of the apps (calendar, contacts, etc.) should be controllable on an per app basis, just like with location service.
You mean the way Android does it? By listing the permissions the application has asked for when you install it.
It wouldn't be the first thing they slavishly copied from Android (*cough*notification menu*cough*)
And each app accessing this data should be carefully reverse engineered and analyzed to ensure it is safe.
Good luck with that.
Companies will object to their proprietary code and secrets being examined, users will scream until they get their fart apps.
Re:How about Android apps ? (Score:5, Insightful)
Anyone has done any research on Android apps, on the same topic ?
Actually, very few leak details.
Android applications have to ask permissions to get access to the internet or your personal details.
Which is all but the same as most tech-unaware users will dismiss the dialog. What they understand behind these dialog boxes is that if they click "No", the App won't work.
It's a bit like electing the president. It's nice to ask people for their opinion, but the overwhelming majority has no clue what's at stake, so it serves very little purpose.
Still, it's better than not asking. A little.
Re:How about Android apps ? (Score:5, Insightful)
Yes, I'd consider myself a 'tech-aware user', and even Google's own apps want such a laundry list of permissions, it turns into "fuck, whatever" and then you press OK.
Using Android was actually an interesting experiment for me, because I'd mulled over the possibilities of a capabilities-based permission system for many years. Then when I finally got one, I found it was realistically about as useful as an IE ActiveX dialog.
Wait, what? (Score:2, Insightful)
The whole idea of the device UUID is to create a primary key for users without actually using any of their personal information. So what if someone is storing your UUID? That's the whole point!
If you give them your name and email and bank account information, and they tie that in with your UUID, then you have bigger problems than your UUID being "uploaded".