Apple Yanks Privacy App From the App Store 136
wiredmikey writes "Back in May of this year, Internet security firm Bitdefender launched 'Clueful,' an iOS App that helps identify potentially intrusive applications and show users what they do behind their back, and giving users an inside look at all the information app developers can gather about a user. Seems legit, right? Apple doesn't think so. Or at least they have an issue with something behind the App that sparked them to pull it from the App Store. After initially reviewing and approving the App that was released on May 22, Apple has had a change of heart and has just removed the App from the AppStore. It's unclear [why it was yanked], and Bitdefender told SecurityWeek that the company is under NDA as far as explanations for the removal. Interestingly, Bitdefender did share some data that they gathered based on Clueful's analysis of more than 65,000 iOS apps so far, including the fact that 41.4 percent of apps were shown to track a user's location unbeknownst to them."
rotten (Score:4, Informative)
Uunbeknownst? (Score:4, Informative)
including the fact that 41.4 percent of apps were shown to track a user's location unbeknownst to them.
Unless they're doing something shady with private APIs or the like, I don't see how this is possible considering an app has to ask permission to enable location tracking, and the user can both see which applications they've granted it to and which ones have used it in the last 24 hours by going to their general settings.
I think what they really mean is, "We have nothing to lose after having our app pulled, so let's burn bridges by pretending that user's don't explicitly give permission for location tracking and saying that every app that tracks location is doing it behind the user's backs."
Also, what's up with both links in the summary going to the same article?
Re:Not what I signed up for (Score:5, Informative)
Even without the app, after I JB-ed my device and started running PMP (Protect My Privacy), and Firewall IP, two apps available from Cydia, it was an eye-opener.
I ran a news app. It connected to an insane amount of ad, behaviorial targeting, monitoring, tracking, and other sites that had zilch to deal with news, and all to deal with obtaining what the user has. Eventually, I just allowed it to connect to its own sites and blacklisted everything else.
I fired up another app. It didn't just want contacts, it wanted in one's music collection, and connected to all kinds of sites, none relevant in any way to what it was doing.
Apple needs to revisit iOS's security model. Because Apple does a damn good job at stopping most stuff before it gets on the App Store, it has kept people safe for a while. However, iOS's security allows an app to do what it wants to except delete pictures once it gets installed on the device. The only time a user would get prompted is if the device was using the GPS or was going to use notifications. Other than that, it could slurp the contact list and use the phone as an outgoing spam machine.
Re:preface: I'm not an IOS programmer... (Score:5, Informative)
Yes, they have to ask. The prompt is generated automatically in response to their request for location data, as you suggested, and suppressing it would do no good, since apps are sandboxed, meaning that they have no other recourse if the user denies the prompt or never sees it in the first place. I'm not aware of any way around it, and I seriously doubt there's a way around that's in use by a double-digit percentage of apps but has not yet been discovered by Apple and eliminated.
Re:Not what I signed up for (Score:4, Informative)
Access to contacts actually requires explicit authorisation too now. In the next software release anyway.
Re:Most of the app developers probably don't know (Score:4, Informative)
If you embed iAds, it actually doesn't require your permission - as the setting controlling whether iAds is allowed your location is actually buried under Location Services > System Services (yes, the advertising is a system service). Third party advertising kits (AdMob, etc) do require your permission.
Re:unbeknownst to them? (Score:4, Informative)
Not entirely. iAds can get your location without permission because it has a completely separate pre-approved entry under System Services to do it. So if the app uses iAds, it will appear to get your location without asking for it (even though only iAds has access to it).
Re:NDA What? (Score:4, Informative)
Well technically, the NDA has been dropped, but...
Relenting to pressure from the developer community, Apple has dropped the NDAs that developers were required to agree to when they submitted their applications for consideration on the iPhone App Store.
In a statement on its Web site, Apple states, "The NDA has created too much of a burden on developers, authors and others interested in helping further the iPhone's success, so we are dropping it for released software."
The previous version of the NDA [pcmag.com] required that a developer not discuss the reasons that its app may have been declined, and restricted developers from publicly rebutting Apple's refusal or dissecting the denial notification that Apple sent them. The revised NDA allows developers to publicly comment on the reasons their app was accepted or declined, and it allows developers to state that they've submitted an app for consideration--but unreleased software currently under review is still covered by the NDA, and Apple has asked developers not to comment on applications currently being considered for the App Store.
http://www.pcmag.com/article2/0,2817,2331498,00.asp [pcmag.com]
...but as the New York Times knows already (and every news outlet knows as well). There does not need to be an NDA in place for Apple to place you permanently in their penalty box [dailytech.com].
So I'd say the Bitdefender company definitely made the right call on this one, especially if it intends to have continued special access to the Apple ecosystem. The huge beast is quick-tempered and bears long grudges. It's best to say nothing that could potentially upset it.
Re:rotten (Score:2, Informative)
Re:Apple is beside itself on this one. (Score:5, Informative)
You could, of course, use Android without the Google integration (quite possible) or simply Something Else Entirely, like Meego, Symbian, Bada, WebOS, Blackberry or whatever. Choosing the iPhone for your privacy is just plain moronic.